glibc: backport CVE fixes

Backport the fixes for several CVEs from the 2.28 stable branch:
- CVE-2016-10739
- CVE-2018-19591

(From OE-Core rev: 950a60c0e4183037a807031ddc9167b1a81a5348)

Signed-off-by: Ross Burton <ross.burton@intel.com>
[Dropped CVE-2019-9169 as its in my contrib already]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

3 files changed, 282 insertions, 0 deletions

diff --git a/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch b/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch
new file mode 100644
index 0000000000..7eb55d6663
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch
@@ -0,0 +1,232 @@
+CVE: CVE-2016-10739
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 8e92ca5dd7a7e38a4dddf1ebc4e1e8f0cb27e4aa Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 21 Jan 2019 08:59:42 +0100
+Subject: [PATCH] resolv: Reformat inet_addr, inet_aton to GNU style
+
+(cherry picked from commit 5e30b8ef0758763effa115634e0ed7d8938e4bc0)
+---
+ ChangeLog          |   5 ++
+ resolv/inet_addr.c | 192 ++++++++++++++++++++++++++++-------------------------
+ 2 files changed, 106 insertions(+), 91 deletions(-)
+
+diff --git a/resolv/inet_addr.c b/resolv/inet_addr.c
+index 022f7ea084..32f58b0e13 100644
+--- a/resolv/inet_addr.c
++++ b/resolv/inet_addr.c
+@@ -1,3 +1,21 @@
++/* Legacy IPv4 text-to-address functions.
++   Copyright (C) 2019 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
+ /*
+  * Copyright (c) 1983, 1990, 1993
+  *    The Regents of the University of California.  All rights reserved.
+@@ -78,105 +96,97 @@
+ #include <limits.h>
+ #include <errno.h>
+ 
+-/*
+- * Ascii internet address interpretation routine.
+- * The value returned is in network order.
+- */
++/* ASCII IPv4 Internet address interpretation routine.  The value
++   returned is in network order.  */
+ in_addr_t
+-__inet_addr(const char *cp) {
+-       struct in_addr val;
++__inet_addr (const char *cp)
++{
++  struct in_addr val;
+ 
+-       if (__inet_aton(cp, &val))
+-               return (val.s_addr);
+-       return (INADDR_NONE);
++  if (__inet_aton (cp, &val))
++    return val.s_addr;
++  return INADDR_NONE;
+ }
+ weak_alias (__inet_addr, inet_addr)
+ 
+-/*
+- * Check whether "cp" is a valid ascii representation
+- * of an Internet address and convert to a binary address.
+- * Returns 1 if the address is valid, 0 if not.
+- * This replaces inet_addr, the return value from which
+- * cannot distinguish between failure and a local broadcast address.
+- */
++/* Check whether "cp" is a valid ASCII representation of an IPv4
++   Internet address and convert it to a binary address.  Returns 1 if
++   the address is valid, 0 if not.  This replaces inet_addr, the
++   return value from which cannot distinguish between failure and a
++   local broadcast address.  */
+ int
+-__inet_aton(const char *cp, struct in_addr *addr)
++__inet_aton (const char *cp, struct in_addr *addr)
+ {
+-       static const in_addr_t max[4] = { 0xffffffff, 0xffffff, 0xffff, 0xff };
+-       in_addr_t val;
+-       char c;
+-       union iaddr {
+-         uint8_t bytes[4];
+-         uint32_t word;
+-       } res;
+-       uint8_t *pp = res.bytes;
+-       int digit;
+-
+-       int saved_errno = errno;
+-       __set_errno (0);
+-
+-       res.word = 0;
+-
+-       c = *cp;
+-       for (;;) {
+-               /*
+-                * Collect number up to ``.''.
+-                * Values are specified as for C:
+-                * 0x=hex, 0=octal, isdigit=decimal.
+-                */
+-               if (!isdigit(c))
+-                       goto ret_0;
+-               {
+-                       char *endp;
+-                       unsigned long ul = strtoul (cp, (char **) &endp, 0);
+-                       if (ul == ULONG_MAX && errno == ERANGE)
+-                               goto ret_0;
+-                       if (ul > 0xfffffffful)
+-                               goto ret_0;
+-                       val = ul;
+-                       digit = cp != endp;
+-                       cp = endp;
+-               }
+-               c = *cp;
+-               if (c == '.') {
+-                       /*
+-                        * Internet format:
+-                        *      a.b.c.d
+-                        *      a.b.c   (with c treated as 16 bits)
+-                        *      a.b     (with b treated as 24 bits)
+-                        */
+-                       if (pp > res.bytes + 2 || val > 0xff)
+-                               goto ret_0;
+-                       *pp++ = val;
+-                       c = *++cp;
+-               } else
+-                       break;
+-       }
+-       /*
+-        * Check for trailing characters.
+-        */
+-       if (c != '\0' && (!isascii(c) || !isspace(c)))
+-               goto ret_0;
+-       /*
+-        * Did we get a valid digit?
+-        */
+-       if (!digit)
+-               goto ret_0;
+-
+-       /* Check whether the last part is in its limits depending on
+-          the number of parts in total.  */
+-       if (val > max[pp - res.bytes])
++  static const in_addr_t max[4] = { 0xffffffff, 0xffffff, 0xffff, 0xff };
++  in_addr_t val;
++  char c;
++  union iaddr
++  {
++    uint8_t bytes[4];
++    uint32_t word;
++  } res;
++  uint8_t *pp = res.bytes;
++  int digit;
++
++  int saved_errno = errno;
++  __set_errno (0);
++
++  res.word = 0;
++
++  c = *cp;
++  for (;;)
++    {
++      /* Collect number up to ``.''.  Values are specified as for C:
++        0x=hex, 0=octal, isdigit=decimal.  */
++      if (!isdigit (c))
++       goto ret_0;
++      {
++       char *endp;
++       unsigned long ul = strtoul (cp, &endp, 0);
++       if (ul == ULONG_MAX && errno == ERANGE)
+          goto ret_0;
+-
+-       if (addr != NULL)
+-               addr->s_addr = res.word | htonl (val);
+-
+-       __set_errno (saved_errno);
+-       return (1);
+-
+-ret_0:
+-       __set_errno (saved_errno);
+-       return (0);
++       if (ul > 0xfffffffful)
++         goto ret_0;
++       val = ul;
++       digit = cp != endp;
++       cp = endp;
++      }
++      c = *cp;
++      if (c == '.')
++       {
++         /* Internet format:
++            a.b.c.d
++            a.b.c      (with c treated as 16 bits)
++            a.b        (with b treated as 24 bits).  */
++         if (pp > res.bytes + 2 || val > 0xff)
++           goto ret_0;
++         *pp++ = val;
++         c = *++cp;
++       }
++      else
++       break;
++    }
++  /* Check for trailing characters.  */
++  if (c != '\0' && (!isascii (c) || !isspace (c)))
++    goto ret_0;
++  /*  Did we get a valid digit?  */
++  if (!digit)
++    goto ret_0;
++
++  /* Check whether the last part is in its limits depending on the
++     number of parts in total.  */
++  if (val > max[pp - res.bytes])
++    goto ret_0;
++
++  if (addr != NULL)
++    addr->s_addr = res.word | htonl (val);
++
++  __set_errno (saved_errno);
++  return 1;
++
++ ret_0:
++  __set_errno (saved_errno);
++  return 0;
+ }
+ weak_alias (__inet_aton, inet_aton)
+ libc_hidden_def (__inet_aton)
+-- 
+2.11.0
diff --git a/meta/recipes-core/glibc/glibc/CVE-2018-19591.patch b/meta/recipes-core/glibc/glibc/CVE-2018-19591.patch
new file mode 100644
index 0000000000..9c78a3dfa0
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2018-19591.patch
@@ -0,0 +1,48 @@
+CVE: CVE-2018-19591
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From ce6ba630dbc96f49eb1f30366aa62261df4792f9 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Tue, 27 Nov 2018 16:12:43 +0100
+Subject: [PATCH] CVE-2018-19591: if_nametoindex: Fix descriptor for overlong
+ name [BZ #23927]
+
+(cherry picked from commit d527c860f5a3f0ed687bd03f0cb464612dc23408)
+---
+ ChangeLog                          |  7 +++++++
+ NEWS                               |  6 ++++++
+ sysdeps/unix/sysv/linux/if_index.c | 11 ++++++-----
+ 3 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/sysdeps/unix/sysv/linux/if_index.c b/sysdeps/unix/sysv/linux/if_index.c
+index e3d08982d9..782fc5e175 100644
+--- a/sysdeps/unix/sysv/linux/if_index.c
++++ b/sysdeps/unix/sysv/linux/if_index.c
+@@ -38,11 +38,6 @@ __if_nametoindex (const char *ifname)
+   return 0;
+ #else
+   struct ifreq ifr;
+-  int fd = __opensock ();
+-
+-  if (fd < 0)
+-    return 0;
+-
+   if (strlen (ifname) >= IFNAMSIZ)
+     {
+       __set_errno (ENODEV);
+@@ -50,6 +45,12 @@ __if_nametoindex (const char *ifname)
+     }
+ 
+   strncpy (ifr.ifr_name, ifname, sizeof (ifr.ifr_name));
++
++  int fd = __opensock ();
++
++  if (fd < 0)
++    return 0;
++
+   if (__ioctl (fd, SIOCGIFINDEX, &ifr) < 0)
+     {
+       int saved_errno = errno;
+-- 
+2.11.0
diff --git a/meta/recipes-core/glibc/glibc_2.28.bb b/meta/recipes-core/glibc/glibc_2.28.bb
index 1bcec3ecb1..0839fa126d 100644
--- a/meta/recipes-core/glibc/glibc_2.28.bb
+++ b/meta/recipes-core/glibc/glibc_2.28.bb
@@ -48,6 +48,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0033-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
            file://0034-inject-file-assembly-directives.patch \
            file://CVE-2019-9169.patch \
+           file://CVE-2016-10739.patch \
+           file://CVE-2018-19591.patch \
 "
 
 NATIVESDKFIXES ?= ""